Bug 2212509 - Allow matching multiple wildcards, as described in manpage
Summary: Allow matching multiple wildcards, as described in manpage
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: keyutils
Version: 8.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: David Howells
QA Contact: Kun Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-05 18:40 UTC by Frank Sorenson
Modified: 2023-06-26 14:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-158996 0 None None None 2023-06-05 18:44:01 UTC

Description Frank Sorenson 2023-06-05 18:40:42 UTC 
Description of problem:

The manpage for request-key.conf(5) states:

       <op> <type> <description> <callout-info> <prog> <arg1> <arg2> ...

       The first four fields are used to match the  parameters  passed  to
       request-key  by the kernel. op is the operation type; currently the
       only supported operation is "create".

       type, description  and  callout-info  match  the  three  parameters
       passed to keyctl request2 or the request_key() system call. Each of
       these may contain one or more asterisk '*' characters as  wildcards
       anywhere within the string.

However the code in keyutils.c states that only one asterisk is allowed in the entire pattern:

    /*****************************************************************************/
    /*
     * attempt to match a datum to a pattern
     * - one asterisk is allowed anywhere in the pattern to indicate a wildcard
     * - returns true if matched, false if not
     */
    static int match(const char *pattern, int plen, const char *datum, int dlen)


Multiple wildcards are necessary in some cases where multiple dynamic fields exist, for example with cifs.spnego:

ver=0x2;host=SERVER_HOSTNAME;ip4=SERVER_IP;sec=krb5;uid=0x0;creduid=0x0;user=USERNAME;pid=PID


Version-Release number of selected component (if applicable):

keyutils-1.5.10-9.el8.x86_64



How reproducible:

easy

Steps to Reproduce:

Attempt to match with multiple asterisks in the relevant request-key file:
/etc/request-key.d/cifs.spnego.conf

create  cifs.spnego    ver=*;host=*;ip4=*;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER1@*,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER1.keytab %k
create  cifs.spnego    ver=*;host=*;ip4=*;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER2@*,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER2.keytab %k


attempt to mount a cifs share using krb5 (it is not necessary to actually have cifs+kerberos set up correctly):

# mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER1
# mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER2


Actual results:

strings with multiple wildcards will not match


Expected results:

multiple wildcards are accepted, and work as described in the manpage


Additional info:
Comment 1 Frank Sorenson 2023-06-05 18:58:06 UTC 
Note:  when I said it is not necessary to have cifs+kerberos set up, I meant simply in order to test the matching; either recompiling request-key with debugging enabled or replacing the cifs.upcall with a script that logs its execution would work to verify that the matching is working as expected
Note You need to log in before you can comment on or make changes to this bug.